Recipe 8.21. Granting Limited Rootly Powers with sudo

8.21.1 Problem

You would like to delegate some system
administration chores to other users, or set up an extra layer of
safety for your own root chores—but you want to do it in a way
that uses only limited rootly powers, and does not give away
root's password.

8.21.2 Solution

Let's say that you have a user,
jhaugh, upon whom you wish to bestow full rootly
powers. Because sudo users use their own
passwords, root's password is protected. Edit
/etc/sudoers with
visudo—it will open in your default text
editor:

Under the "User privilege
specification" line, you can add individual users:

jhaugh ALL=(ALL) ALL

This gives jhaugh root powers for everything on
the system and on all connected machines. Now say you have another
user, tgwynne, who needs root privileges only on
the local machine. Add the following line for this user:

tgwynne LOCALHOST = ALL

Adding to your delegation of minions is msmith,
who is allowed only to shut down the local machine:

msmith LOCALHOST = /sbin/shutdown, /sbin/halt

This grants groups of ordinary users shutdown privileges on their own
machines:

8.21.3 Discussion

sudo can also be used to let users execute
scripts, such as backup scripts. Be very careful with scripts, or any
command that gives shell access or invokes a text editor, because
these may allow users to escalate their privileges. You can try to
restrict sudo users to RJOE, which is a
restricted editor that cannot invoke a shell, but
it's better to be careful with how you delegate
rootly chores in the first place.